💾 Archived View for bgp.rocks › my-first-steps-with-a-yubikey.gmi captured on 2021-11-30 at 20:18:30. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Published on 2021-04-22.
I recently got myself a [YubiKey 5C Nano](https://www.yubico.com/se/product/yubikey-5c-nano/), the reason to learn more about security keys and to just have some fun while playing around with it. While getting started might not be hard there are still lots of terms and abbreviations to keep track of, and lots of differing information out on the Internet. These are my notes where I try to summarize some of the information for myself.
I'm not an expert by any means so I might be horribly wrong on some things. Make sure to look things up on your own.
What is a YubiKey? - It's a small(isch) device that plugs into your computer via USB or talks to your mobile device via NFC. Once connected to the computer it shows up as a keyboard device. The device has a touch surface that's used to verify a human is near when device is being used.
Who makes it? - The company [Yubico](https://www.yubico.com/). The company was founded in Sweden but is now headquartered in the US. On the [website](https://www.yubico.com/products/manufacturing/) they claim the devices are manufactured in Sweden and the US. I live in Sweden and my device was sent from the Netherlands.
What makes it secure? - I have no idea. There's no code available and the company is based the US, so I guess that could be something to consider if you were to get one of these devices. Since I got my device for personal use and for fun neither of those points is an issue for me.
When using the device you will have to physically touch it to make it continue with it's actions and for some operations a PIN is required. So if you have encrypted important files using a key that's on the YubiKey, the physical key and a PIN would be needed to decrypt the files. That's adds another layer of security.
What are the alternatives? - There is a German open-source product called the [Nitrokey](https://www.nitrokey.com/). I have not tested it so I have no idea how well it works. I would have gotten one of these devices instead, if a USB-C device was available at the time of my decision. When it is available I might get one for comparison.
When I had received my key and I wanted to start learning about it and the capabilities it had I was thrown into a world of new words and short abbreviations, this is a short list to help me remember what they are and what they mean. This could be very wrong so please verify this on your own, the [Yubico developers site](https://developers.yubico.com/) has some documentation.
- WebAuthn - A standard for replacing the common username and password login method with a security key.
- OTP - One-Time Password. A password that's generated and then expires so if it's sniffed it can't be used again.
- U2F - Kinda like WebAuthn, but can also use a password and different devices for authentication.
- OATH - Two different OTP algorithms (TOTP/HOTP).
- PGP - A standard for signing and encryption, using public and private keys. The private key can be stored on a YubiKey.
- PIV - Like PGP, but a US government standard.
- NFC - Near Field Communication. Enables for instance a cellphone and the YubiKey to communicate with each other.
So what can the YubiKey actually be used for (non-exhaustive list)?
- Encrypt/sign e-mails and files
- Used when SSH'ing to servers
- Act as a physical key for logging in to devices/computers
- For logging in to [websites](https://www.dongleauth.info/) and [services](https://www.yubico.com/se/works-with-yubikey/catalog/)
To configure the different features on the key there are some tools available:
[YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) - Graphical and easy to use.
[Yubico PIV Tool](https://developers.yubico.com/yubico-piv-tool/) - Only for the PIV feature.
[YubiKey Manager CLI](https://developers.yubico.com/yubikey-manager/) (ykman) - The best of all three if you're comfortable with the CLI. It can configure all features and the syntax is easy.
I recommend a mix between the Manager and Manager CLI. The graphical manager can't configure all the features but gives you a good start and helped me visualize how some of the features are set up. I was then able to use the ykman CLI tool to configure the settings that are not available through the graphical interface.
So what do I think of the YubiKey?
I like it, both the concept and the product. It was a bit of challenge to get going but after a few hours of fiddling around the pieces are starting to fall into place. The documentation on the developer website can be a bit confusing and sometimes not very well laid out. It's not bad but required a few passes of reading and trying. The software used to manage the device works well and I haven't noticed any issues.
I would recommend it (or a similar product) to anyone wanting to up their security. It does add another level of responsibility (for instance, backing it up in case of loss or broken key) but with some thought I believe it can be a great addition for extra security.